source of javascript on this forum is discourse though, open source software, you can actually know and check for yourself what javascript code is going to be executed before you actually visit the site.
What about environments that use a fully randomized VDSO and PIE base execution randomization? from my understanding this exploit relies on other points of determinism in ASLR implementation to utilize the exploit, so the less transparent the implementation, the fewer points of failure and thus lower attack surface area.
The testing indicated that the exploit assumes transparent interfacing.
[Looks at copyleft, GPL3, The Hurd, The Gnu Plus Linux Rant]
Yeah, about that...
RMS just says what his audience wants to hear, and makes a good living of of it. He's a brilliant guy, if you ever have the opportunity of talking to him off-camera when there are no too many people around, certainly do it because he really is very intelligent and has exciting ideas. But with regards to his public statements and positions, I have to say that a lot if not most of that stuff is parallel universe stuff. The most successful even only halfway RMS-style distro, Trisquel, has been pretty much a dead project for the last two years, Hurd is a turd, etc... there is a practical limit to sensibility.
RMS cleverly has taken a broad position that will always prove him right, just because humanity, just because the powers that be don't need to be better or wiser to rule the world, they just need larger and better clubs to knock the rest on the head... the weakness of humanity does not make RMS's theory strong, it just means that humanity is weak.
1 Like
The problem is not limited to the proof of concept. It doesn't really matter, there is not enough entropy in ANY implementation to prevent derandomization and reverse engineering. The only solution is to add an entropy factor that is not crackable because there is no "other side of the wall", which means unique and open source based strong encryption all the way into the CPU. And that's just never going to happen.
I'm seeing what happens when I run it on hardenedBSD's implementation as we speak. I think the issue is serious, but I also thin the reporting of it has been rather alarmist.
This is a little over my head. Some questions.
Would adblock plus stop JS running on AD's or does it just hide the Ad's ?
Would this exploit allow a client VM to break into the Host ?
ASLR seems to be fundamentally broken. Anything executing on your CPU could potentially do this. Client side security often isn't, and javascript is another example of client side security. Blocking javascript in a browser makes almost every site out there break. Many break real ugly too.
1 Like
I would think it blocks the external script associated to the ad, does not touch inline scripts though.
Not had one break yet. using umatrix I did have to set up one or two to get them back to full function when I installed it. But since this happened and I have turned off all JavaScript in the browser, adblock and umatrix there has not been a website freak out yet.
I was fully expecting it but no.
1 Like
I have had many sites break over the years. If you block javascript, most sites comment systems doesn't work, as they are by and large javascript based (disqus).
1 Like
Yes that is still a thing for.me on YouTube but I have no use for those comment section on most websites so no noticeable loss at all for me. I deliberately got to then point where YouTube fully worked and then backed it off a bit so certain nonessential things don't work now, like comments.
Further to this question. I run a VPS so does that mean other VPS's can run the exploit and get to bare metal rendering VPS's obsolete ?
@Marten Yeah, it's way over my head too, so Zoltan could probably correct me if I'm wrong.
As far as I understand, it doesn't matter if you're hosting a VM as a "protection layer". Everything currently running on your machine takes up some data in your memory. Everything also uses the same CPU. Both the VM and host use the same memory pool that the processor works with, and the CPU that is being "pinged" (or "pung" lol, yeah I listen to teamPGP while I work) probably isn't protected from this de-randomization attack just because you've sandboxed and virtualized some programs.
Then again, if someone is badass enough to know how to even use this table exploit, he's probably good enough to hack 99,99% of regular PC users through some other (less laborious) means. The problem is when the badass hacker (or government) tries to go for other governments/banks systems/security providers/military installations etc...
But we'll see what happens, this only means that even hackers are not secure, since they use the same damn processors so yeah...
Yes, VM's offer no real protection. It can slow down the process to a point in certain configurations that would also totally ruin any efficiency.
Hackers don't care if they're safe or not, because they use either hijacked systems, botnets or disposable systems to initiate attacks. 90% of blackhat hacking is social engineering though, tools, however powerful, are just tools, vulnerabilities are just targets, the biggest vulnerability of any system is the human factor, and the most dangerous attack vector is a smile or a compliment. And just like ASLR, this vulnerability will never be patched, and the harder they try to patch the human factor, the more dangerous the human vulnerability will become. Just like with the ASLR vulnerability, the only protection is to add enough entropy, but that is exactly what the powers that be are trying to eliminate at all cost.
Fact is that ASLR, execute disable bit, etc... are as it turns out totally useless and make it ever harder to protect systems against hacks and detect hacks and catch and identify hackers. The reality is that before ASLR was implemented, chip manufacturers had already found ways to encrypt CPU instructions to prevent reverse engineering... whereas that's stupid because that is actually also protecting criminals and human rights violators... the opposite should happen: the user processes should be encrypted by the user, using the user's specs, under the user's control excluding any and all other controlling instance, and the hardware and instructions should be entirely open source and fully documented. Any other solution than that pretty much means the death of computing in the future or the death of humanity, which ever one comes first.
The people who rejoice in the fact that the proof on concept doesn't work on chrome, or only works with javascript, etc... are lying to themselves, because if this works with javascript, it works elsewhere also. If a couple of researchers from the VUAmsterdam can find this out without industry assistance, imagine how government agencies with industry assistance or extensive industrial espionage input are long capable of exploiting every single aspect of this fundamental and unsolvable vulnerability.
The only solution is a complete change in the mentality of the IT industry, an obligation that everything with such great impact and power has to be open source hardware and software and has to allow for private, strong and personal encryption by the user... which is never going to happen. The powers that be fight against open source with all might, they prefer to kill humanity for profit, quite literally.
The reality is that the BIOS in your system, or the Intel ME in your chip, or the radio in your mobile device, offer a practical structural interface to the powers that be to exploit every aspect of a user's digital life. The reality is that de facto, a digital holocaust has already started. We're all surveilled around the clock, and we're all tagged with whatever tag they put on us. And they sure as hell haven't done any of that to protect us against evil people, rather it's the evil people who have done all of that to protect themselves from us lol.
1 Like
Rejoice nothing. I raised a point that had not been mentioned and thus far has no reply of any use. I have still taken steps to do something. Though not enough, never enough, because there is fuck all useful information about this and how toprotect against other than not using a PC ever. Which is clearly not going to happen, you are still using yours too.
All that has happened is completely ignoring that this DOES NOT WORK in the cataclysmic way you describe. You are just happy to keep preaching doom to humanity and ignoring the reality.
I said hopefully the feature of chrome that enables to to work hopefully does not get implemented. Not rejoicing that I am safe.
Edit: Call me out on it next time too please. Rather than snide remarks.
Sorry if you felt targeted, I wasn't actually talking about you, as far as I can see you didn't rejoice in Chrome, but Google is all over the place, and that's what I was reacting to, within the framework of me pointing out earlier that Google offers a lot of attack vector surface with their deep integration of often javascript-laden ads in their devices and services. Chrome might not vector the javascript proof of concept, but the web services certainly might, much deeper into the system even. That's why I mentioned that the rejoicing that is going on with Google pawns about the proof of concept not having been shown on Chrome on x86, is dumb. I should have probably formulated it in another way though, but I also feel it's always pretty clear that if I do massive bitching, it's always about big corporations and the likes, and if I challenge a particular user on the forum, I do it quite heads-on and directly, and you've been around for quite a while on the forum, so you should have already noticed that too. Miscommunications and misinterpretations happen.
That being said, you should also know that exploring the limits of reality of a concept is a very efficient way to make people think about stuff. It is a totally bonafide rhetorical method that is part of standard debate, which is the object of this forum and the reason why people are here. It's also much more exciting than posting anime gifs. The goal is to make people participate, and different people have different thresholds to conquer indifference, that's why the use of more edgy rhetoric is not only justified, it's also desirable, both from an intellectual and a social point of view. It is also the goal of the exercise that a contra-argument is launched as a reaction, that is also desirable because it is part of the debate dynamic, but this contra-argument should not be dismissive by nature, for example through the use of a meta-argument or suggestion, which is something you actually just did... the object of the exercise is to make a real contra-argument using the subject matter at hand. So for instance, you could have argued that there is a lot of entropy already in the system, just by the volume of hardware, with almost 1.5 million ARM devices added every single day, it would be very hard to actually target everyone and go through the effort of derandomisation on a global scale. That would be a completely valid contra-argument. Then someone would again counter that with the argument that military targets and targets of particular political or martial interest, are nonetheless extraordinarily exposed because of this hardware problem, which ironically is created by the military industrial complex itself basically. That would then conclude to a paradox, which is the end point of many logical conclusions made in a debate, as opposed to the conclusions people draw on their own, and that's the whole added value of the forum, that's why people on this forum do not swallow the news and believe everything they are told to believe.
1 Like
Okay, I am sorry, it very much seem like a jab at me, I am the only one who even mentioned this at all here.
I tried, it amounted to zero. Looked up some more information on my own, nothing serious just where I know it will be in plain english. That did not turn out well.
I am out of here I have provided all I can, and now I am just making trouble.
Explain this in plain English. OR TLDR version. 0-Day exploit?
Yeah no that's not happening